Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/10/2007
08:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

RFID Security Service, Tools on Tap

New audit service and appliance to target RFID customers looking to lock down their systems

PacketFocus next week will launch one of the industry's first commercial RFID security auditing services -- and it's building an RFID security appliance as well, Dark Reading has learned.

RFID security has landed front and center during the past few months, with researchers demonstrating the ease of passport-hacking, card-cloning, and SQL injection attacks on RFID systems. Even so, many organizations still run less-secure, early-generation RFID systems, and do little to secure them. (See RFID Under Attack Again, Black Hat Cancels RFID Demo, HID, IOActive Butt Heads Again, and New RFID Attack Opens the Door.)

PacketFocus's new RFID security auditing service will identify policy and procedures for RFID, as well as check out reader and tag security, and how they are configured. "We'll look at passwords, RFID middleware, and how readers communicate with the middleware," says Joshua Perrymon, PacketFocus's CTO. "The service highlights potential vulnerabilities. You need to know what kind of risk you have in your network once you've brought RFID in."

Perrymon expects input validation -- filtering out irrelevant characters -- and how RFID tags and readers handle passwords to be the main weak spots the audits will detect, as well as any policy and procedures an organization has or has not configured, he says. PacketFocus will offer the RFID security auditing service under a under a new division called RFID Audit Group, he says.

Meanwhile, it's also developing an RFID security appliance that detects and reports attacks, called RF Defender, he says. The appliance, which will be priced between $40,000 and $50,000, will sit with the RFID reader, and can be used in both access-control and supply chain-type RFID environments, he says.

"The appliance has multiple sensors and integrates into the RFID environment. We not only look at the RFID reads, we correlate with the middleware and other layers to provide a holistic view of the RFID system. This allows us to correlate events and detect attacks in-depth," he says. The product will detect denial of service, and password-type attacks, for instance.

Perrymon, who says RF Defender won't be officially announced for a couple of months, acknowledges that the RFID security market is still young. "I know it's not huge right now, but it will be very huge in a couple of years."

The ultimate goal of the new RFID security auditing service, he says, is to flip-flop the conventional wisdom of going operational before securing the system: "We're going to do security before going operational."

RFID security expert Adam Laurie says RFID security auditing makes sense. "There's a need for it. At the moment it seems the industry has put blind faith in" RFID, he says. "I think this would be for people to be made aware of what actually are the potential security issues... And the sooner they are addressed, the better."

PacketFocus joins a relatively deserted RFID security market with few suppliers. Netherlands-based Riscure does RFID security testing, for instance, and there's a research project in Europe called RFID Guardian, an RFID firewall.

But Laurie, who at Black Hat Europe showed how it was possible to reprogram RFID tags and duplicate a legitimate user's building cardkey using code based on his RFIDIOt tools, says RFID devices such as a firewall may be overkill. "I think a lot of these are like using a sledgehammer to crack a nut."

Chris Paget, director of R&D for IOActive, says an RFID firewall or similar approach, may be irrelevant: "If the card in your pocket is insecure, there's not a lot you can do to protect the system. No matter what you do with it, it cannot be trusted," he says. Meanwhile, he says, he's interested in learning more about PacketFocus's RF Defender appliance's features.

PacketFocus expects the supply chain sector in automotive, pharmaceuticals, large retail, and the Defense Department to be the biggest draw for its RFID security audit service initially. Perrymon made sure the service syncs with the National Institute of Standards and Technology's (NIST) Guidelines for Securing Radio Frequency Identification Systems announced last month, which is aimed at retailers, manufacturers, hospitals, federal agencies, and companies that use RFID in their supply chains.

"NIST doesn't [address] RFID access control," Perrymon says. "But the beauty of [our service] is you can apply it to anything," including building-access systems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IOActive
  • National Institute of Standards and Technology (NIST)
  • PacketFocus Security Solutions
  • Riscure BV
  • RFID Guardian Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Tor Weaponized to Steal Bitcoin
    Dark Reading Staff 10/18/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2015-9501
    PUBLISHED: 2019-10-22
    The Artificial Intelligence theme before 1.2.4 for WordPress has XSS because Genericons HTML files are unnecessarily placed under the web root.
    CVE-2019-16971
    PUBLISHED: 2019-10-22
    In FusionPBX up to 4.5.7, the file app\messages\messages_thread.php uses an unsanitized "contact_uuid" variable coming from the URL, which is reflected on 3 occasions in HTML, leading to XSS.
    CVE-2019-16972
    PUBLISHED: 2019-10-22
    In FusionPBX up to 4.5.7, the file app\contacts\contact_addresses.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
    CVE-2019-16973
    PUBLISHED: 2019-10-22
    In FusionPBX up to 4.5.7, the file app\contacts\contact_edit.php uses an unsanitized "query_string" variable coming from the URL, which is reflected in HTML, leading to XSS.
    CVE-2015-9496
    PUBLISHED: 2019-10-22
    The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.